On Friday, multiple activist groups and telecommunications experts filed a complaint with the Federal Communication Commission (FCC) centering on how AT&T, T-Mobile, Sprint, and Verizon sold their customers' real-time location data to third parties without those customers' informed consent.
The move comes after multiple Motherboard investigations into how telecom companies either sold their customers' data, or allowed it to fall into the wrong hands.
"The Carriers' actions have threatened public safety, contrary to Congress’ directive that the Commission ensure communications networks promote safety of life and property. The Carriers’ improper disclosure of location information enabled stalkers, people posing as police officers, debt collectors, and others to take advantage and find unwitting individuals. Furthermore, it is likely that abuses of location data have disproportionately impacted disadvantaged and marginalized communities," the complaint reads.
The organizations behind the complaint are the Open Technology Institute, part of thinktank the New America Foundation; Free Press, a media advocacy group; and the Georgetown Law Center on Privacy & Technology (CPT).
Do you know anything else about the sale or use of location data? We'd love to hear from you. You can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
In January, Motherboard reported that through a complex network of middlemen, AT&T, T-Mobile, and Sprint were selling location data that ended up in the ends of bounty hunters. A second investigation found just one company had around 250 bounty hunter clients for phone location data. Some of that information included highly precise A-GPS data. Motherboard also covered one firm called Captira that provided phone location data to all of the major telecoms including Verizon to bail bondsman for $7.50.
Another Motherboard report showed how stalkers and debt collectors pose as law enforcement to trick telecoms into handing over real-time location data. In May last year, The New York Times reported how a company called Securus was providing phone location data to low level law enforcement without a warrant.
The new complaint filed to the FCC centres around the idea of consent, or rather the lack of it, with the carriers providing it to so-called location aggregators, which would then sell the data onto other companies, as well as providing it to unauthorized parties directly, such as those tricking them for the information. Specifically, the complaint alleges that the carriers' "disclosure of customers' location information violates Section 222 and 201(b) of the Communications Act and the Commission's implementing rules."
"The Carriers’ widespread and reckless unauthorized disclosure of customers’ location information further constitutes an unjust and unreasonable practice in violation of Section 201(b) of the Communications Act," it adds.
The FCC did not immediately respond to a request for comment.
Subscribe to our new cybersecurity podcast, CYBER.